Merry Christmas, and be sure to check your online statements: security investigations reveal that the tens of millions of credit card numbers stolen from Target shoppers in the weeks since Thanksgiving are indeed flooding the black market and making their way around the world.
The news came out on Tuesday that Target had been, well, targeted in a massive data breach between November 27 and December 15. Roughly 40 million Target shoppers have had their credit or debit card data stolen. That is, to put it mildly, a whole heck of a lot of credit cards. And it’s a whole heck of a lot of money for the criminals who sell them.
Security expert Brian Krebs, who first broke the news about the breach, reports on his site that the stolen card numbers have been flooding the markets where such things are sold. The card numbers are being sold in batches of one million each, and commanding prices of $20 to $100 per card (so, $20 million to $100 million per batch).
Krebs’s investigation is a step-by-step look into how the stolen numbers are sold and how banks are able to identify compromised customers. It’s an interesting peek at the kind of detective work that goes in to tracing a breach like this.
The story starts at the online shop where the credit card numbers are sold. They move in batches, and the batches have code names indicating they were all lifted from the same merchant. The particular online shop featured in the investigation also includes the city and ZIP code of the store where the card was stolen from, because that information can help thieves make local purchases that are less likely to be immediately caught and flagged as fraud.
Krebs talked to a big bank and also worked with a small local bank that purchased 20 of their own illegally obtained card numbers from the online shop. The bank ran data analyses on all the cards and discovered that the commonality among them was indeed that they had been used at Target stores during the past few weeks. Look at what enough stolen card numbers have in common, and the shape and scope of a data breach starts to become clear.
Banks, large and small, are hesitant to proactively cancel and reissue all potentially affected cards at the moment. Not only is it a somewhat resource-intensive project, but with less than a week to go until Christmas, no bank wants to find themselves suddenly catching attention for leaving thousands of customers without access to their cards for travel and gifts.
As Krebs explains about the small bank: “The bank wasn’t exactly chomping at the bit to re-issue the cards; that process costs around $3 to $5 per card, but more importantly it didn’t want to unnecessarily re-issue cards at a time when many of its customers would be racing around to buy last-minute Christmas gifts and traveling for the holidays.” And although cancelling the cards might be in the best interest of fraud prevention, it’s easy to see why that bank is treading carefully: that one small bank found that a full 5% of cards they issue had been used at Target stores during the time of the breach.
The good, or at least less awful, news about the breach is that the CVV2 codes–that little three-digit number on the back, under your signature–aren’t among the stolen data. A large number of online merchants require that code in order to make purchases, and this is basically why: so that it’s a lot harder to click that “buy” button without the original card actually in your hand.
So if you (like yours truly, alas) shopped at Target since Thanksgiving, keep an eye on your statements not only for strange shops you never heard of, but also for suspicious purchases made in your area. They could indeed be last-minute Christmas gifts… but they certainly aren’t good tidings for you.
Cards Stolen in Target Breach Flood Underground Markets [Krebs On Security]